{#
# Licensed to the Apache Software Foundation (ASF) under one
# or more contributor license agreements.  See the NOTICE file
# distributed with this work for additional information
# regarding copyright ownership.  The ASF licenses this file
# to you under the Apache License, Version 2.0 (the
# "License"); you may not use this file except in compliance
# with the License.  You may obtain a copy of the License at
#
#   http://www.apache.org/licenses/LICENSE-2.0
#
# Unless required by applicable law or agreed to in writing, software
# distributed under the License is distributed on an "AS IS" BASIS,
# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
# See the License for the specific language governing permissions and
# limitations under the License.
#}

/**
* Example of SASL/PLAIN Configuration
*
* KafkaServer {
*   org.apache.kafka.common.security.plain.PlainLoginModule required
*   username="admin"
*   password="admin-secret"
*   user_admin="admin-secret"
*   user_alice="alice-secret";
*   };
*
* Example of SASL/SCRAM
*
* KafkaServer {
*   org.apache.kafka.common.security.scram.ScramLoginModule required
*   username="admin"
*   password="admin-secret"
*   };
*
* Example of Enabling multiple SASL mechanisms in a broker:
*
*   KafkaServer {
*
*    com.sun.security.auth.module.Krb5LoginModule required
*    useKeyTab=true
*    storeKey=true
*    keyTab="/etc/security/keytabs/kafka_server.keytab"
*    principal="kafka/kafka1.hostname.com@EXAMPLE.COM";
*
*    org.apache.kafka.common.security.plain.PlainLoginModule required
*    username="admin"
*    password="admin-secret"
*    user_admin="admin-secret"
*    user_alice="alice-secret";
*
*    org.apache.kafka.common.security.scram.ScramLoginModule required
*    username="scram-admin"
*    password="scram-admin-secret";
*    };
*
**/

{% if kerberos_security_enabled %}

KafkaServer {
   com.sun.security.auth.module.Krb5LoginModule required
   useKeyTab=true
   keyTab="{{kafka_keytab_path}}"
   storeKey=true
   useTicketCache=false
   serviceName="{{kafka_bare_jaas_principal}}"
   principal="{{kafka_jaas_principal}}";
};
KafkaClient {
   com.sun.security.auth.module.Krb5LoginModule required
   useTicketCache=true
   renewTicket=true
   serviceName="{{kafka_bare_jaas_principal}}";
};
Client {
   com.sun.security.auth.module.Krb5LoginModule required
   useKeyTab=true
   keyTab="{{kafka_keytab_path}}"
   storeKey=true
   useTicketCache=false
   serviceName="zookeeper"
   principal="{{kafka_jaas_principal}}";
};
com.sun.security.jgss.krb5.initiate {
   com.sun.security.auth.module.Krb5LoginModule required
   renewTGT=false
   doNotPrompt=true
   useKeyTab=true
   keyTab="{{kafka_keytab_path}}"
   storeKey=true
   useTicketCache=false
   serviceName="{{kafka_bare_jaas_principal}}"
   principal="{{kafka_jaas_principal}}";
};

{% endif %}